[9995] in bugtraq
Re: FrontPage + Apache + FreeBSD
daemon@ATHENA.MIT.EDU (Roberto Grassi)
Fri Mar 26 16:22:31 1999
Date: Fri, 26 Mar 1999 16:32:07 +0100
Reply-To: Roberto Grassi <roberto@NET-ONE.IT>
From: Roberto Grassi <roberto@NET-ONE.IT>
X-To: omni@DYNMC.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.4.10.9903220808240.53022-100000@ns1.dynmc.net> from
"Gregory A. Carter" at Mar 22, 99 08:20:27 am
> I've sent in a report for FrontPage extensions and their lack of security
> and so far after about two weeks have yet to gain a reply. I have
> searched hours on end on multiple lists for a solution to this problem and
> still have not found an answer so I have come to the conclusion that it is
> a bug and am so forth posting on it to bugtraq in hopes that a solution
> will be made.
>
> We run apache web servers with FrontPage Extensions compiled in as a
> module and have noticed that when using virtual hosts their is a huge
> security issue. When using the "ServerAlias" directive on a virtual
> domain, the alias will work fine on the web, however if you try to open
> FrontPage and use the aliases name (and "list webs") the extensions will
> display the servers root web, not the virtual root web. Usually this
> wouldn't harm anything however I've found that if you try and open the
> root web using the aliased domain it will use the aliased domain's
> permissions and open the root web.
>
> Here's an example:
>
> http.conf
>
> <VirtualHost domain.com>
> [insert paths
> etc and extra
> options here]
> ServerAlias www.domain.com
> </VirtualHost>
And if you don't use ServerAlias directive? It happen again?
We have configured Apache with FP98 extension on our FreeBSD but
it doesn't appear to suffer the problem you expose.
I gatered FP98 extension informations from
http://www.rtr.com/fpsupport/discuss.htm
> Now... we install frontpage extensions for domain.com.
>
> Next we open frontpage on our machine and point it to domain.com, open the
> web which should work fine and add a user. For our purposes I'll use
> "testing" with the password of "fpsucks". Close the frontpage web then
> reopen only this time before we hit "list webs" use the domain
> www.domain.com. Now frontpage will return the server's root web instead
> of the virtual root. Select it and click ok to open and the u/p box will
> appear. Now usually this should be asking for the root web's username and
> password and other webs permissions shouldn't work. However we enter the
> username of "testing" and the password of "fpsucks", low and behold it
> opens the root web and allows the user the same permissions that the
> virtual web had for it.
>
> Nasty. My apologies if I'm just ignorant but I serious haven't found ANY
> articles about this and I've searched the third party software vendor that
> Microsoft uses for FP extensions without a solutions.
>
> Greg
>
> +(Omni@Dynmc.Net)------------------------------------------------------+
> | Dynamic Networking Solutions InterX Technologies |
> | Senior Network Administrator bits/keyID 1024/7DF9C285 |
> | omni@interx.net omni@itstudio.net omni@undernet.org omni@webpop3.com |
> +--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+
>
However I still have many doubts on Front Page security and functionality.
Grassi Roberto NET1 S.r.l.
System & Network Administrator via S.Cristoforo, 44
e-mail: roberto@net-one.it 21047 Saronno (VA) - ITALY
